IT-Security catalogue plant operators

Datenschutz Grundverordnung Icon

IT-Security catalogue

for plant operators

The IT Security Act, which came into force in August 2015, has once again amended the existing Energy Industry Act (EnWG) and thus specified the requirements for an IT security catalogue for plant operators. This catalogue according to § 11 Abs. 1b of the EnWG was published in December 2018. The regulations formulated in it concern companies that are regarded as critical infrastructure. The corresponding threshold values for KRITIS facilities, according to which they are regarded as critical infrastructure within the meaning of the Energy Industry and BSI Law, are defined by the BSI Critis Ordinance (BSI CritisV). For electricity generation plants, this value is 420 MW of installed net electrical nominal capacity.

This IT security catalogue requires the certification of an information security management system (ISMS) according to ISO/IEC 27001:2013. The ISMS certification after the catalogue has come into force must take place within a period of 1.5 years; the certificate must be submitted to the Federal Network Agency (BNetzA) at the appropriate time. According to the EnWG, measures must be taken which are necessary for safe operation. In contrast to network operators whose catalogue has already been published, system operators for whom this catalogue is binding must also comply with VGB Standard 175. All assets of the company concerned are assigned to the six different zones with regard to their criticality and relevance for plant operation. Zones 1-3 are mandatory zones when defining the ISMS scope. This means that assets and systems in these zones must be included in the scope of the ISMS.

Obligation to report BSI-law §8a (3)
Furthermore, plant operators, which are considered to be KRITIS, had to appoint a contact office to the BSI within six months of the coming into force of the BSI-KritisV, which corresponds to the beginning of November 2017, and are already subject to reporting requirements in the event of an incident!

Significant IT malfunctions are to be reported which lead or could lead to a breakdown of the system. The reports are analyzed by the BSI and compiled into a situation picture with the aid of further sources. This is used to create warning messages and recommendations for action.

You can find out when a fault is to be reported to the BSI and how failure and impairment are defined on our main page on the obligation to report.

We help you not only to meet the regulatory requirements of the IT security catalogue. At the same time, we optimize the technically effective safety of your control technology.

Control technology & factual security situation as a basis for effective IT security
A high-quality ISMS for the control technology, which is based on the standards ISO/IEC 27001:2013 and VGB S-175, must be oriented to the general conditions applicable in this area. These include the long life cycle, consideration of the revision, current operating regimes and available resources. At this point, the legislator also refers to ISO/IEC TR 27019:2013, which specifies the safety measures of ISO/IEC 27002:2013 with regard to control technology.

We start all projects with a technical analysis of the current situation. So your ISMS stands on a solid, realistic foundation right from the start. We deliver a solution tailored exactly to your actual security situation. The requirements of control technology are integrated into this concept right from the start.

The technically effective ISMS
We offer an ISMS with a significantly higher level of security. It focuses on technically effective protection. We create control documents based on the control technology. Special emphasis is placed on safeguarding the control technology. The operationalization of the ISMS documents ensures that the ISMS is given its technical effectiveness. You should think of tomorrow today - and make incident management an integrated part of the ISMS.

We help you to minimize reportable incidents from the outset by providing effective technical security for your control technology.

More effective and therefore less expensive
The particularly efficient admeritia methodology offers you significant cost advantages - among other things by minimizing the effort during the ISMS development phase.
Here, the focus on the basic conditions of control technology, the actual security situation and the individual company requirements pays off. The development of an ISMS, including certification, takes two to three years.

A technical and organizational gap analysis can significantly reduce the time required. The entire project is thus on a solid basis right from the start.

This is how we can help you

  • Security Management (ISMS according to DIN ISO/IEC 27001:2015)
  • Organizational and technical gap analyses
  • Creation of security guidelines, processes and procedures
  • ISMS implementation at organizational level according to DIN ISO/IEC 27001:2015
  • ISMS operationalization / technically effective implementation of security concepts and measures on a technical level
    • Development of Incident Management
    • Network security
    • Protection of basic services
    • Technical Compliance according to DIN ISO/IEC 27001:2015
  • Takeover of "IT security contact person" mandate
    • Analysis and preparation of security incidents and recommendations for countermeasures to ensure compliance with the tasks of the "IT security contact person”.

Your contact person


Andreas Eichmann

Senior account manager
Tel. +49 2173 20363-0

Reference projects

  • Implementation of IT security catalogue
    • Transmission system operators
  • Implementation of IT security catalogue
    • Area network operators
  • Networksegmentation and implementation of centrally controlled basic services
    • Plant operator

more reference projects...

Committee work

  • Mirror committee NA 043-01-27
    • DIN
  • ISO IEC JTC1 SC27 (WG3 und WG4)
    • ISO
  • KITS Advisory board
    • KITS

more committee work...


  • Operationalization of a network operator ISMS
    • AK IT-security officer EVU
    • Nov 2016
  • Practical report - Development of an ISMS at an area network operator
    • VDE Symposium
    • Sep 2016
  • The benefits of a security test for the implementation of the IT security catalogue
    • VKU Info day
    • Sep 2015

more lectures...


  • ISMS: Pure paperwork or technically effective?
    • EW
    • Apr 2015
  • IT security catalogue: Don't lose any time during implementation
    • City hall consultation
    • Mar 2015
  • Continuous security management with the help of central services
    • SPS IPC Drives Kongress
    • Nov 2012

more publications...